Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article introduces authentication and access control in Azure Databricks. For information about securing access to your data, see Data governance with Unity Catalog.
Single sign-on using Microsoft Entra ID
Single sign-on in the form of Microsoft Entra ID-backed login is available in Azure Databricks account and workspaces by default. You use Microsoft Entra ID single sign-on for both the account console and workspaces. You can enable multi-factor authentication using Microsoft Entra ID.
You can configure just-in-time (JIT) provisioning to automatically create new user accounts from Microsoft Entra ID upon their first login. See Automatically provision users (JIT).
Sync users and groups from Microsoft Entra ID
Databricks recommends syncing identities from Microsoft Entra ID to Azure Databricks using automatic identity management (Public Preview).
Using automatic identity management, you can directly search in identity federated workspaces for Microsoft Entra ID users, service principals, and groups and add them to your workspace and to the Azure Databricks account. Databricks uses Microsoft Entra ID as the source of record, so any changes to users or group memberships are respected in Azure Databricks. For detailed instructions, see Sync users and groups automatically from Microsoft Entra ID.
You can also use SCIM provisioning to sync users and groups from Microsoft Entra ID to Azure Databricks, see Sync users and groups from Microsoft Entra ID using SCIM.
Secure API authentication with OAuth
Azure Databricks OAuth supports secure credentials and access for resources and operations at the Azure Databricks workspace level and supports fine-grained permissions for authorization.
Databricks also supports personal access tokens (PATs), but recommends you use OAuth instead. To monitor and manage PATs, see Monitor and revoke personal access tokens and Manage personal access token permissions.
For more information on authenticating to Azure Databricks automation overall, see Authorizing access to Azure Databricks resources.
Access control overview
In Azure Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.
| Securable object | Access control system |
|---|---|
| Workspace-level securable objects | Access control lists |
| Account-level securable objects | Account role based access control |
| Data securable objects | Unity Catalog |
Azure Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.
For information about securing data, see Data governance with Unity Catalog.
Access control lists
In Azure Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects such as notebooks and SQL Warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. For more information on access control lists, see Access control lists.
Account role based access control
You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.
Follow these articles for more information on account roles on specific account-level objects:
Admin roles and workspace entitlements
There are two main levels of admin privileges available on the Azure Databricks platform:
- Account admins: Manage the Azure Databricks account, including enabling Unity Catalog and user management.
- Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.
There are also feature-specific admin roles with a narrower set of privileges. To learn about the available roles, see Azure Databricks administration introduction.
An entitlement is a property that allows a user, service principal, or group to interact with Azure Databricks in a specified way. Workspace admins assign entitlements to users, service principals, and groups at the workspace-level. For more information, see Manage entitlements.